[ossec-list] [OT] for the nagios + ossec

Thu, 08 Jul 2010 06:05:06 -0700 

Hello List
I have encountered an "annoying" issue that due to many tasks in my work , the OSSEC emails are some what neglected , or "hidden" in the barrage of email I get to my mailbox , and that make me miss some important information . 


I decided that i need a way to be alerted if an alert of high priority 
is generated by OSSEC , so I decided to  write a check to look for those 
alerts in the OSSEC mail box  (attached file).



The script take a minimal set of parameters : Host , username , 
password   and time ( how far back to check ,  I run it 5 minutes back) .



I hope this will help those of us that use the OSSEC+Nagios/Icinga in 
their network .


Regards

--


Assaf Flatto 
Linux System Administrator

No.9 | 6 Portal Way | London | W3 6RU |
T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067

-----------------------------------------------------------------------------------------------------------------------------------------

LOVEFiLM UK Limited is a company registered in England and Wales. 
Registered Number: 06528297. 
Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom.



This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error, 
please delete it from your system and notify the sender immediately.


This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.co.uk 
-----------------------------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
# Written By Assaf Flatto       
# description: Checks the emails in the OSSEC mail box and reports of emails in 
severity >10

use strict;
use lib "/usr/local/nagios/libexec";
use warnings;
use Mail::IMAPClient;
use DateTime::Format::Mail;
use DateTime ;
use utils qw(&print_revision %ERRORS) ;
use Getopt::Long;
use vars qw($opt_V $opt_h $opt_H $opt_u $opt_t $opt_p $VERSION $PROGNAME 
$alert);

Getopt::Long::Configure('bundling');
GetOptions ("V"   => \$opt_V, "version"    => \$opt_V,
             "h"   => \$opt_h, "help"       => \$opt_h,
            "H"   => \$opt_H, "host"       => \$opt_H,
            "u"   => \$opt_u, "username"       => \$opt_u,
            "p"   => \$opt_p, "password"       => \$opt_p,
            "t"   => \$opt_t, "time"       => \$opt_t);

$PROGNAME = "check_ossec_mails";
$VERSION = 0.1;

sub print_help () {
        print "Usage:\n";
        print "  $PROGNAME :Checks the emails in the OSSEC mail box and reports 
of emails in severity >10 \n";
        print "  -h , --help : Display this help data \n";
        print "\n";
        print " $PROGNAME takes the following paramaters :\n";
        print " \t-H , --host : The Mail Server FQDN or IP address \n" ;
        print " \t-u , --username : the mailbox access username \n" ;
        print " \t-p , --password : Mailbox Password \n";
        print " \t-t , --time : the time intervan (in minutes) to check for the 
alerts\n" ;
        print " \n";
        print " Execution format :\n" ;
        print " $PROGNAME -H <host> -u <username> -p <password> -t 
<time-interval> \n";
        print " \n";
        print "Copyright (c) 2009 Assaf Flatto\n\n";
        exit $ERRORS{'UNKNOWN'};

    }
#Show Version
if ($opt_V){
     print "$PROGNAME" . " $VERSION \n" ;
      exit $ERRORS{'UNKNOWN'};
    }

# Show Help
if ($opt_h) {
     print_help();
    exit $ERRORS{'UNKNOWN'};
}

my @msgct = 0 ;
my $stat = 0 ;
$opt_u = $ARGV[1] ;  
$opt_p = $ARGV[2] ;
$opt_H = $ARGV[0] ;
$opt_t = $ARGV[3] ;

print_help() unless $ARGV[0] ;

my $client = Mail::IMAPClient->new(
   Server   => $opt_H,
   User     => $opt_u,
   Password => $opt_p,
  )
  or die "new(): $@";

my $pf = DateTime::Format::Mail->new();

if ($client->IsAuthenticated()) {
    $client->select("Inbox") or die "Could not select: $...@\n";
    @msgct = $client->since(time()-($opt_t*60));
    }

my $end = time()-($opt_t*60);

if (@msgct){
    foreach my $msg (reverse @msgct) {
#        print "$count \n" ;
#       print "$msg \n" ;
        my $stamp = $client->date($msg);
        my $epoch =$pf->parse_datetime($stamp) ->epoch; 

        if ( $epoch >= $end ){
        $alert =$client->get_header($msg,"Subject");
#       print "$alert \n" ;  
#        print "$stamp \n" ; 
#       print "$epoch \n" ; 
        if ( ($alert =~ "Alert level 10") || ($alert =~ "Alert level 11") || 
($alert =~ "Alert level 12") ) {
                 $stat = "2" ;
                print "OSSEC ALERT :" . " Critical Alerts detected $alert \n";
                exit $ERRORS{CRITICAL} ;
            }else{
                $stat = "0" ; 
                }    
        }else {
            print "OK :" . " No Critical OSSEC Alerts found  \n";
            exit $ERRORS{OK};
             }
        }
    }else {
        print "OSSEC Unknown :" . " Array Empty - Problems detected  \n";
        exit $ERRORS{UNKNOWN} ;
    }

$client->logout();















    











					Reply via email to